Entities use a variety of administrators to configure and maintain network resources such as routers and services. In some cases those IT administrators are honest, trustworthy individuals. Unfortunately, in other cases, administrators may have a malicious interest in administering the network. Additionally, when entities use the services of a managed service provider, contractor, or other outside assistance, it may be difficult for the entity to determine the reliability or trustworthiness of an individual before granting that individual access to network resources.
One way that nefarious individuals exploit network resources is to roam from a device they are authorized to access to one they are not. For example, suppose a contractor has been hired to administer a router inside a private network that includes critical resources. If adequate protections are not in place, the contractor may be able to use his router access to obtain access to those resources.
Some routers have the ability to create user accounts that provide administrator and guest privileges. Unfortunately, a nefarious administrator with an administrator account on the router can still cause harm. Furthermore, in environments with many routers and/or many administrators, maintaining accounts for router administrators can be cumbersome. Some routers have the ability to disable particular commands such as SSH and telnet and prevent roaming out of the device. Unfortunately, not all routers support this functionality and as with creating user and administrator accounts, it can be cumbersome to consistently disable such features.
Therefore, it would be desirable to have a better way to secure a network.